Skip to content

fix: reject plaintext ApplicationData records per RFC 6347/9147#90

Merged
algesten merged 2 commits intoalgesten:mainfrom
HMBSbige:fix/reject-plaintext-application-data
Mar 9, 2026
Merged

fix: reject plaintext ApplicationData records per RFC 6347/9147#90
algesten merged 2 commits intoalgesten:mainfrom
HMBSbige:fix/reject-plaintext-application-data

Conversation

@HMBSbige
Copy link
Copy Markdown
Contributor

@HMBSbige HMBSbige commented Mar 9, 2026

Summary

  • Reject plaintext ApplicationData records at the record-layer parser for both DTLS 1.2 (epoch 0 whitelist: CCS/Alert/Handshake) and DTLS 1.3 (plaintext whitelist: Alert/Handshake/Ack per RFC 9147 §4.1)
  • DTLS 1.3 plaintext records with non-zero epoch are now rejected
  • Invalid records are silently discarded (RFC 6347 §4.1.2.7) so subsequent valid records in the same datagram are still processed

algesten
algesten approved these changes Mar 9, 2026
View reviewed changes
Copy link
Copy Markdown
Owner

@algesten algesten left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

Thank you!

@algesten algesten merged commit 9fd07a6 into algesten:main Mar 9, 2026
46 checks passed
@HMBSbige HMBSbige deleted the fix/reject-plaintext-application-data branch March 9, 2026 09:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@algesten algesten algesten approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@HMBSbige @algesten